CN106662991B - Electronic certificate management system - Google Patents
Electronic certificate management system Download PDFInfo
- Publication number
- CN106662991B CN106662991B CN201580039657.1A CN201580039657A CN106662991B CN 106662991 B CN106662991 B CN 106662991B CN 201580039657 A CN201580039657 A CN 201580039657A CN 106662991 B CN106662991 B CN 106662991B
- Authority
- CN
- China
- Prior art keywords
- mobile device
- locking device
- identifier
- payload
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00817—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the lock can be programmed
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00857—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the data carrier can be programmed
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/082—Access security using revocation of authorisation
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00412—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal being encrypted
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00817—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the lock can be programmed
- G07C2009/00825—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the lock can be programmed remotely by lines or wireless communication
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00857—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the data carrier can be programmed
- G07C2009/00865—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the data carrier can be programmed remotely by wireless communication
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00857—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the data carrier can be programmed
- G07C2009/0088—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the data carrier can be programmed centrally
Abstract
A kind of system and method for managing the electronic certificate of storage on the mobile device.Diversification key can be used to encrypt the information for being supplied to locking device and access control system in the system.Diversification key can be generated by the way that the component identifier of master key and such as mobile device identifier is supplied to diversification algorithm.Mobile device can be the pipeline for the information communication between access control system and locking device.Mobile device possibly can not decrypt the information encrypted via diversification key.Embodiment additionally provide using access control system come registration management mobile device, for user's mobile device credential identifier distribution and revocation and remove using locking device register management mobile device.
Description
Cross reference to related applications
This application claims the U.S. Provisional Patent Application No.62/006 submitted on June 2nd, 2014,836 equity,
Content is incorporated herein by reference in their entirety.
Background technique
Embodiments herein relates generally to the electronic certificate management for locking system.More specifically, reality of the invention
It applies example and is related to the secure distribution and management of electronic certificate.
The voucher of operation for managing locks system is usually physics in itself, such as to fill in locking
Set at least part of the card read at place, key card, token or mobile device.Therefore, present credential system usually requires that voucher
Interaction between locking device occurs at locking device or at least near locking device.For example, when needing voucher and lock
When determining the interaction between device, user may need by card reader brush associated with locking device include voucher card or
The voucher is presented near the card reader.
Similarly, when new voucher is added to locking system, voucher usually requires to be received by user and/or by user
Possess.Then, user may need such as by will each locking device in locking system associated with voucher
Physical location at the physical form of voucher is presented manually voucher is added to system.Using in one or more locking dress
The physics voucher presented at the position set, the voucher can be to manually add to the access control part of locking device.
Summary of the invention
One aspect of the present invention is related to a kind of method for credential management comprising by master key and mobile device mark
Know symbol to be input in diversification algorithm to generate diversification key, the mobile device identifier includes the letter for identifying mobile device
Breath.In addition, being come encryption control system payload (payload) using diversification key, control system payload includes extremely
Few one or more exclusive evidence identifier.The control system payload of encryption can be transmitted to movement by access control system
Device.In addition, locking device receives the control system payload for carrying out the encryption of self-moving device, and can be from locking device
Memory in retrieve master key.Locking device can also be decrypted using the master key and mobile device identifier that retrieve to be added
Close control system payload.
Another aspect of the present invention relates to a kind of methods for management system comprising by access control system from movement
Device receives mobile device identifier.It is close to generate diversification that mobile device identifier and master key are applied to diversification algorithm
Key, diversification key be used to encrypt the mobile device payload including one or more credential identifiers.In addition, one or
Multiple credential identifiers may include the information of the clearance level about mobile device.Access control system can be by the shifting of encryption
Dynamic device payload is transmitted to mobile device.In addition, locking device can receive the mobile dress for the encryption for carrying out self-moving device
It is set effective load.Locking device can also decrypt the mobile device payload of encryption, and from decrypted encryption mobile device
One or more credential identifiers are extracted in payload.In addition, locking device can be used extract it is one or more with
Identifier is demonstrate,proved to identify the clearance level of mobile device, and determines whether mobile device has using the clearance level identified
There is the permission of execution.
In addition, one aspect of the present invention be related to it is a kind of for cancelling storage one or more vouchers on the mobile device
The method of identifier.This method includes being transmitted by access control system for storing the first voucher identification on the mobile device
Symbol.The revocation request payload of encryption can also be received by locking device, the revocation of encryption request payload include with
Relevant second credential identifier of first credential identifier.Locking device can decrypt the revocation request payload of encryption, and
The second credential identifier is extracted from the revocation of decrypted encryption request payload.Locking device can also be by the second voucher
Identifier is identified as the identifier being revoked.In addition, locking device, which can receive, comes from movement including the first credential identifier
The transmission of device.Locking device can further identify the first credential identifier for receiving whether the identifier phase with revocation
It closes.
Another aspect of the present invention relates to a kind of method for cancelling the credential identifier of storage on the mobile device, institutes
The method of stating includes being transmitted by access control system for storing credential identifier on the mobile device, and by the access
Control system will cancel request and be sent to the mobile device.Revocation request can request from mobile device remove storage with
Demonstrate,prove identifier.This method can also include that access control system receives the credential identifier that storage is removed from mobile device
Notice.
Another aspect of the present invention relates to a kind of for removing the method for managing mobile device from the locking device of registration,
It includes that notice access control system removes the first management mobile device from access control system.In addition, replacement management is moved
Access control system can be used to register in dynamic device, and can execute on the locking device of the registration of voucher management system
Field device resets.The locking device payload of encryption can be received by access control system, and the locking device of encryption has
Imitating load includes that replacement field device resets identifier.Access control system can be extracted from the locking device payload of encryption
It replaces field device and resets identifier, and the replacement field device extracted reset identifier is sent to will be with the lock of registration
Determine one or more user's mobile devices that device is used together.
By considering that the detailed description and the accompanying drawings, other aspects of the present invention will become obvious.
Detailed description of the invention
What Fig. 1 showed illustrated embodiment according to the present invention includes one or more mobile devices, one or more locks
Determine the schematic diagram of the exemplary system of device and access control system.
Fig. 2A shows the mobile for carrying out registration management using access control system of illustrated embodiment according to the present invention
The flow chart of the example process of device and locking device.
Fig. 2 B is shown using diversification algorithm, master key and management mobile device, user's mobile device and/or locking
The identifier of device generates schematically showing for diversification key.
Fig. 3 shows the mobile for creating and being distributed to user for credential identifier of illustrated embodiment according to the present invention
The flow chart of the example process of device.
Fig. 4 show illustrated embodiment according to the present invention for cancelling one or more manually for user's mobile device
The flow chart of the example process of a credential identifier.
Fig. 5 show illustrated embodiment according to the present invention for cancelling one or more automatically for user's mobile device
The flow chart of the example process of a credential identifier.
Fig. 6 shows filling for removing management movement from the locking device of registration for illustrated embodiment according to the present invention
The flow chart for the example process set.
When read in conjunction with the accompanying drawings, it is better understood with the following of foregoing summary and certain embodiments of the present invention
Detailed description.For the purpose of illustrating the invention, some embodiments are shown in the attached drawings.It is to be understood, however, that this hair
It is bright to be not limited to arrangement and means shown in the accompanying drawings.
Specific embodiment
What Fig. 1 showed illustrated embodiment according to the present invention includes one or more mobile devices 102, one or more
The schematic diagram of the exemplary system 100 of locking device 104 and access control system 106.It can use various mobile devices 102,
Including such as mobile phone, smart phone, tablet computer, personal computing device and/or special hand-held device and other devices.
According to illustrated embodiment, mobile device 102 can have one or more transceivers 108, for include locking device 104 and
Other device communication datas of access control system 106.Further, it is possible to use various types of transceiver 108, including example
The active and passive transceiver that can be such as communicated via bluetooth (including bluetooth low energy) and/or WiFi.Mobile device 102
It can also include input/output device 110, such as keyboard, display and/or touch screen and other input/output dress
It sets.In addition, mobile device 102 may include one or more different processing units 112, it is such as programmable, dedicated
And/or hardwired state machines type processor and any combination thereof.For example, according to some embodiments, processing unit
112 may include multiple processors, and can have programmable kind, according to the volume by being stored in memory 116
Cheng Zhiling (such as software or firmware) limit operation logic 114 come execute algorithm and processing data.
As discussed in further detail below, in the illustrated embodiment, management mobile device 102a can be awarded and close
The relevant permission of management role or clearance level for being managed and/or configuring in the locking device 104 to system 100, simultaneously
User's mobile device 102b can be configured as the generally use for locking device 104, such as locking device 104 extremely
Few daily routine operation or use.
Locking device 104 can be lock, reader device, payment terminal and/or times that can be communicated with mobile device 102
What other kinds of device.For example, in the embodiment illustrated in fig. 1, locking device 104 is that have one or more transceivers
118, processing unit 120, memory 122, reader 124 and locking mechanism 126 (such as bolt and/or latch) electronics
Locking device.Memory 122 can be or can not be a part of processing unit 120.Mobile device 102 and locking device 104
It may be adapted to communicate with one another using one or more of a variety of different wireless communication techniques.For example, according to certain implementations
Example, locking device 104 can have the transmitting-receiving for allowing the bluetooth low energy between mobile device 102 and locking device 104 to communicate
Device 118.In addition, mobile device 102 and locking device 104 can be via NFC and/or WiFi (such as according to some embodiments
WiFi Direct) it is communicated.
Can processing unit 120 to locking device 104 use various types of processing unit, can such as compile
Journey, dedicated and/or hardwired state machines, or any combination thereof.Processing unit 120 can also include multiple processors, all
Such as such as arithmetic logic unit (ALU), central processing unit (CPU), digital signal processor (DSP).With multiple processing
The processing unit 120 of unit can also utilize distributed, assembly line and/or parallel processing.Processing unit 120 can also be specially
For the execution of only operation described herein, or can be utilized in one or more additional applications.In the form of description
In, processing unit 120 has programmable kind, and basis is such as referred to by the programming stored in the memory 122 of locking device 104
The operation logic 128 of (such as software or firmware) restriction is enabled to execute algorithm and processing data.Alternatively or additionally, it grasps
Make logic 128 at least partly to be limited by firmware hardwired logic or other hardware.Processing unit 120 may include be suitable for processing from
The signal that the input/output device 130 (such as keyboard, reader 124 or elsewhere) of locking device 104 receives
And any kind of one or more components of institute's phase output signal are provided.Such component may include digital circuit,
The combination of analog circuit or both.
The memory 122 of locking device 104 can be included in processing unit 120 and/or be couple to processing unit
120.In addition, memory 122 can have one or more types, such as solid-state kind, electromagnetism kind, optics kind or these
The combination of form.In addition, memory 122 can be volatibility, non-volatile or these types combination, and memory
Some or all of 122 can be portable kind, disk, tape, memory stick, cassette tape etc..In addition, according to certain
Embodiment, memory 122 can store the data manipulated by the operation logic 128 of processing unit 120, such as indicate from input/
The data of signal that is that output device 130 receives and/or being sent to input/output device 130, or instead area definition is grasped
Make the programming instruction of logic 128.
Access control system 106 may include can be in a number of different manners (including for example by internet, honeycomb number
According to network or any combination thereof) one or more servers 132 for being communicated with mobile device 102 and/or locking device 104, it is all
Such as server for example based on cloud and/or network-based server.In addition, according to some embodiments, different servers 132
It can be used for different purposes, such as installing, safeguarding and/or managing access control system 106, locking device
104 and/or mobile device 102 or relative server 132a based on cloud and another different server 132b,
(such as general routine use of locking device 104 and/or operation) such as other purposes it is network-based
Server.Access control system 106 can also include one or more databases 134 or other record systems.It can use each
The combination of the type of the different types of database 134 of kind and database 134.For example, one or more servers 132 can wrap
It includes database 134a and/or (is such as used for manufacturer, manufacturer and/or the assembling of locking device 104 with auxiliary data base
The auxiliary data base 134b of quotient) operationally communicate.
Fig. 2 shows moving for carrying out registration management using access control system 106 for illustrated embodiment according to the present invention
The flow chart of the example process 200 of dynamic device 102a and locking device 104.At step 202, management mobile device 102a is all
As being for example connected to access control system 106 by being connected to server 132, so that communication can be in management mobile device
It transmits and is received by it between 102a and access control system 106.At step 204, access control system is can be used in user
106 register user account to register or access.For example, the user of mobile management mobile device 102a can will be various types of
Information input to access control system 106, including for example with user or associated mechanisms, management mobile device 102a and/or with
The associated one or more related information of locking device 104 of user/mechanism and other information.Control access system 106
Then user associated with user account is registered and/or management mobile device 102a can be registered.At step 206, access
Control system payload is transmitted to management mobile device 102a by control system 106.Control system payload may include
Various types of information, such as one or more exclusive evidence identifiers, access permission and/or configuration license.Separately
Outside, access control system 106 can be used managing diversity key and carry out encryption control system payload.As shown in Figure 2 B
, according to some embodiments, managing diversity key can be by least can be by access control system 106 and locking device
Known to 104 rather than master key known to management mobile device 102a and management mobile device identifier (such as manage
Sequence number, production code, product number and/or the universal unique identifier (UUID) and other identifier symbol of mobile device) it answers
It is generated with to diversification algorithm.In addition, as discussed below, can also generate in a similar way for system 100 its
The diversification key of his component, such as by master key and with specific components (such as mobile device 102 or locking device
104) associated identifier is supplied to diversification algorithm to generate associated diversification key.At step 208, management is moved
Dynamic device 102a receives the control system payload of transmission.
In the case where carrying out registration management mobile device 102a using access control system 106, mobile device 102a is managed
Locking device 104 can be presented to.Therefore, at step 210, such as via the processing unit by locking device 104
120 carry out communication (communication that is carried out in the keyboard such as via input code to input/output device 130, by locking
The identification for the data that the card reader of device 104 carries out registers voucher or from management mobile device 102a to the receipts of locking device 104
Send out the communication of device 118) reception, locking device 104 can be placed in enrollment mode.It is contemplated that quilt can be combined
The locking device 104 that is placed in enrollment mode and various operations occur, such as can enter registration mould in locking device 104
The locking device 104 authenticates the information received by locking device 104 before in formula.At step 212, in locking device 104
In enrollment mode and in the case where establishing locking device 104 and managing the connection between mobile device 102a, management
Mobile device 102a can be used for encrypted control system payload from management mobile device 102a to locking device 104
Transmission.
At step 214, the master key and/or management mobile device identifier being comprised in memory 122, lock are used
Determining device 104 will attempt to decrypt the control system payload received.If locking device 104, which cannot decrypt control system, to be had
Load is imitated, then at step 216, terminates locking device 104 and manages the connection between mobile device 102a.However, if lock
Control system payload can be decrypted by determining device 104, then at step 218, locking device 104 is by locking device payload
It is sent to management mobile device 102a.Locking device payload may include various information, and such as field device resets
Identifier and one or more locking device identifiers, such as locking device UUID, sequence number and/or production code, with
And other kinds of identifier.Furthermore it is also possible to carry out encryption lock device payload using managing diversity key.In step
At 220, management mobile device 102a receives the encrypted locking device payload of transmission from locking device 104.According to certain
A little embodiments, management mobile device 102a then can via the access that is provided by access control system 106 and configuration license Lai
Control locking device 104.
At step 222, locking device payload information can be transmitted to access control by management mobile device 102a
System 106.At step 224, access control system 106 can be registered or be recorded or store effective from the locking device of transmission
The information that payload reception arrives.Such registration can future self-locking device payload the information received with it is associated
It registers user account and/or locking device 104 is associated.For example, according to some embodiments, access control system 106 can be
The information for carrying out self-locking device payload is registered in database 134, such as one or more locking device identifiers are all
As for example field device resets identifier.In addition, the registration of information may include recording the information in one or more databases
It is operationally accessed in 134a, 134b or to one or more servers 132 of access control system 106.
By generating and using diversification key using diversification algorithm with manner described herein, in locking device
The information encrypted in the payload transmitted between 104 and access control system 106 possibly can not be accessed by mobile device 102.
In addition, including that identifier relevant at least mobile device 102 can be excluded and/or be reduced by returning in generating diversification key
Put attack damage system 100 safety it is successful a possibility that.
Fig. 3 shows the mobile for creating and being distributed to user for credential identifier of illustrated embodiment according to the present invention
The flow chart of the example process 300 of device 102b.Credential identifier for user's mobile device 102b can be with various sides
Formula generates, including for example by the use of the application 136 on management mobile device 102a, or by visiting via network gateway
Ask access control system 106.For example, the application that may be mounted on management mobile device 102a 136 can handle, receive and/
Or storage it is related/from access control system 106, management mobile device 102a, user's mobile device 102b and/or locking device
104 data.For example, application 128 can be controlled in conjunction with via management mobile device 102a to/from access according to some embodiments
System 106 processed and locking device 104 transmit information such as encrypted safety and/or authentication information or data to make
With.In addition, it is as discussed above, at least decryption edge can not be configured as using 136 and therefore management mobile device 102a
By management mobile device 102a transmitting the information encrypted using diversification key.In addition, for mobile device 104b with
And the credential identifier for managing mobile device 104a can be stored in mobile device 104a, 104b, such as by
It is stored using 136.
According to illustrated embodiment, at step 302, using 136 or network gateway can be used for and access control system
106 foundation are operatively connected.At step 304, using the connection, new voucher identification is established about the user for system 100
The information of symbol can be sent to access control system 106.Various differences can be provided and/or selected for new credential identifier
The information of type, the selection including to be for example directed to the new voucher clearance level provided or authorization.Various differences can be provided
Clearance level for selecting, such as easy access, the ability for the credential identifier for once accessing, requesting other new and/
Or configure the ability and other licenses of one or more locking devices 104.In addition, access control system 106 can be provided
Have an identification information relevant to user's mobile device 102b and/or associated user, such as contact details (such as with
Family and/or the associated telephone number of user's mobile device 102b or e-mail address) and other information.
At step 306, from access control system 106 and/or management mobile device 102a system 100 is added
Invitation can be transmitted to user's mobile device 102b.According to some embodiments, the invitation can be sent to user and/
Or the associated telephone number of user's mobile device 102b or e-mail address.The invitation may include various information, including
Such as application 136 is downloaded into the invitation registered on user's mobile device 102b and/or using access control system 106.If
User selects addition system 100, then at step 308, application 136 can be downloaded to user mobile device 102b, and use
Family can register in access control system 106.At step 310, access control system 106 can receive user's mobile device
Identifier, such as the sequence number of user's mobile device 102b, production code, product number and/or general unique mark
Know symbol (UUID) and other identifier symbol.According to some embodiments, during the enrollment process at step 308, the mobile dress of user
Access control system 106 can be sent to by setting identifier.
At step 312, access control system 106 can encrypt user's mobile device payload.For example, according to certain
Embodiment, master key and user's mobile device identifier can be used in access control system 106 has to encrypt user's mobile device
Imitate load.In addition, according to some embodiments, access control system 106 can be used master key, user's mobile device identifier and
Diversification algorithm encrypts user's mobile device payload, to generate user's diversification key.User's mobile device of encryption
Payload may include various information, including for example one or more user's mobile device identifiers and user's mobile device
102b and locking device 104 work required other information together, including for example indicate to be assigned to user's mobile device 102b
The information of clearance level, credential identifier, locking identifier and/or field device reset identifier and other information.This
Outside, according to illustrated embodiment, encrypted user's mobile device payload can be stored on user's mobile device 104b,
To allow associated credential identifier to be stored in user's mobile device 104b.
At step 314, user's mobile device 102b can establish the connection with locking device 104.Use the company of foundation
It connects, at step 316, user's mobile device payload can be transmitted to locking device 104 by user's mobile device 102a.
At step 318, the master key being comprised in memory 122 and/or one or more mobile device marks are used
Know symbol, locking device 104 will be attempted to decrypt the user's mobile device payload received, such as decrypt and use use
User's mobile device payload of family diversification key encryption.If locking device 104, which is unable to decrypted user mobile device, to be had
Imitate load, then at step 320, locking device 104 can refuse user's mobile device 102b access locking device 104 and/or
Connection between locking device 104 and user's mobile device 102b is terminated.However, if locking device 104 can decrypt use
Family mobile device payload, then according to some embodiments, user's mobile device 102b is authorized to be communicated with locking device 104.
If locking device 104 can decrypted user mobile device payload, at step 322, locking device 104
It by the information encrypted in user's mobile device payload and can be stored in locking device 104 or locking device 104 can
The information (including the information or data being stored in the memory 122 of locking device 104) of access is compared.For example, locking
Device 104 can by the one or more locking device identifiers encrypted in user's mobile device payload be stored in
The locking device identifier of similar type in the memory 122 of locking device 104 is compared.If comparing instruction to self solve
The locking device identifier of close user's mobile device payload and the lock being stored in the memory 122 of locking device 104
It is not identical, dissimilar and/or uncorrelated to determine device identification, then at step 324, locking device 104 can terminate and user
The communication of mobile device 102b and/or refusal user's mobile device 102b access locking device 104.
If decryption user's mobile device payload in locking device identifier and be stored in locking device 104
Locking device identifier in memory 122 is identical, similar and/or related, then at step 326, locking device 104 can be incited somebody to action
It the other information of user's mobile device payload from decryption and is stored in locking device 104 or locking device 104 can
The information of access is compared, such as by from the field device of user's mobile device payload reset identifier with by
The field device that locking device 104 stores resets identifier and is compared.In such an example, if the field device compared
It is not identical, dissimilar and/or uncorrelated to reset identifier, then at step 328, locking device 104 can be terminated to be moved with user
The communication of dynamic device 102b and/or refusal user's mobile device 102b access locking device 104.In addition, field device resets mark
Know symbol between this comparison can manage mobile device 102a lose or change in the case where security level be provided, this be because
The reset identifier of the field device on locking device 104 will be changed to execute field device and resetting.
However, if the one or more comparisons executed at step 322 indicate that the information or data compared is identical, phase
Like and/or it is related, then at step 330, locking device 104, which can be assessed, to be comprised in user's mobile device of encryption and effectively carries
The clearance level of user's mobile device 102b in lotus, and user's mobile device 102b is verified with completion user's mobile device
102b just attempts the license or permission for the movement completed.If user's mobile device 102b does not have the license of execution or power
Limit, then at step 332, locking device 104 can terminate mobile with the communication of user's mobile device 102b and/or refusal user
Device 102b accesses locking device 104.However, completing to be somebody's turn to do if locking device 104 determines that user's mobile device 102b is authorized to
Movement, then at step 334, the communication between locking device 104 and user's mobile device 102b can according to need continuation with
Complete the movement of authorization.
Fig. 4 show illustrated embodiment according to the present invention for cancelling one manually for user's mobile device 102b
Or the flow chart of the example process 400 of multiple credential identifiers.At step 402, management mobile device 102a can be made
It determines or is instructed to user's mobile device 102b and be no longer allowed access to locking device 104.At step 404, generates revocation and use
The request of the present credential identifier of family mobile device 102b.Revocation request can generate in a number of different manners.For example, root
It, can be by the use of the application on management mobile device 102a or via arriving access control system 106 according to some embodiments
Portal website connection come generate request.
At step 406, user's shifting is sent to for cancelling the order of credential identifier of user's mobile device 102b
Dynamic device 102b.According to some embodiments, countermand an order can by access control system 106, management mobile device 102a or its
Combination is to generate and be transmitted to user's mobile device 102b.According to some embodiments, countermanding an order can be sent to and user
The associated one or more e-mail addresses of mobile device 102b or one or more telephone numbers.
At step 408, revocation response payload can be transmitted to management mobile device by access control system 106
102a.According to some embodiments, regardless of whether receiving response, access control system 106 from user's mobile device 102b
Management mobile device 102a can be sent by revocation response payload.Revocation response payload may include various letters
Breath, such as will with for be revoked together with information necessary to being communicated with locking device 104 credential identifier and its
His information.In addition, such as via can be by by the master key from access control system 106 and one or more managing
The use for the managing diversity key that mobile device identifier is supplied to diversification algorithm to generate, revocation response payload can
To be encrypted.
At step 410, which can be responded payload and be transmitted to locking device by management mobile device 102a
104.According to some embodiments, when next subsequent communications between management mobile device 102a and locking device 104 are established,
The revocation can be responded into payload and be transmitted to locking device 104.At step 412, locking device 104 can for example with
The similar mode of those of discussion decrypts revocation response payload before.At step 414, the voucher mark being revoked is being determined
When knowledge symbol is intended at least partly associated with the revocation response locking device 104 of payload is received, locking device 104 will
Credential identifier is identified as being revoked.For example, according to some embodiments, voucher mark that locking device 104 can will be revoked
Know the record for according with the credential identifier for distributing to revocation or list, or the state to credential identifier distribution revocation.
At step 416, when user's mobile device 102b is subsequently attempted at least partly using the voucher identification being revoked
Symbol accesses locking device 104 and 104 decrypting payloads of locking device and determines that credential identifier is for the spy
When determining locking device 104, locking device 104 by check be used for user's mobile device 102b credential identifier whether via
Locking device 104 is listed, specified and/or is recorded as with revocation state.For example, locking device 104 can according to some embodiments
To access the column of the credential identifier being revoked for example stored in the memory 122 of locking device 104 by locking device 104
Table, and determine whether credential identifier is present in record or the list of the credential identifier being revoked.If locking dress
It sets 104 and identifies that the credential identifier of presentation is the credential identifier of revocation, then at step 418, locking device 104 will be refused
Mobile device 102 accesses locking device 104.In addition, locking device 104 can send commands to user's shifting at step 420
The credential identifier is removed using 136 on dynamic device 102b.At step 422, application 136 can continue mobile from user
Device 102b removes credential identifier.Application 136 on user's mobile device 102b can also generate user's mobile device 102b
The notice of transmission is filled from user is mobile with notifying access control system 106 and/or managing the application 136 on mobile device 102a
It sets 102b and removes credential identifier.
Fig. 5 show illustrated embodiment according to the present invention for cancelling one automatically for user's mobile device 102b
Or the flow chart of the example process 500 of multiple credential identifiers.At step 502, management mobile device 102a can be made
It determines or is instructed to user's mobile device 102b and be no longer allowed access to locking device 104.At step 504, generate for removing
Sell the request of the present credential identifier of user's mobile device 102b.Revocation request can generate in a number of different manners.Example
It such as, can be by the use of the application on management mobile device 102a or via arriving access control system according to some embodiments
Portal website's connection of system 106 is requested to generate.
At step 506, user's shifting is sent to for cancelling the order of credential identifier of user's mobile device 102b
Dynamic device 102b.According to some embodiments, countermand an order can by access control system 106, management mobile device 102a or its
Combination is to generate and be transmitted to user's mobile device 102b.According to some embodiments, countermanding an order can be sent to and user
The associated one or more e-mail addresses of mobile device 102b or one or more telephone numbers.
At step 508, receive countermand an order when, the application 136 on user's mobile device 102b can be from user
Mobile device 102b removes credential identifier.For example, the application 136 on user's mobile device 102b can according to some embodiments
For good and all to remove credential identifier from user's mobile device 102b.Application at step 510, on user's mobile device 102b
Then 136 can be generated the communication for being provided to access control system 106 and/or managing mobile device 102a, provide one
Or notice or verifying that multiple credential identifiers have been removed from user's mobile device 102b.Such notice can be in the various times
Section is (including for example when completing to remove credential identifier from user's mobile device 102b, and/or in first for sending notice
When the generation of chance) it is sent to access control system 106.For example, if send notice before user's mobile device 102b
Power-off, then can send the notice when user's mobile device 102b is re-powered.
After removing one or more credential identifiers, if user's mobile device 102b is attempted and locking device 104
Communication, then user's mobile device 102b possibly can not transmit locking device 104 for desired payload information.Therefore, user
Mobile device 102b can receive the response of refusal from locking device 104, or connection will be overtime.
According to some embodiments, it is discussed above for cancel credential identifier exemplary manual and automated procedure 400,
500 can concurrently or serially run.For example, according to some embodiments, if automated procedure 500 cannot lead to voucher identification
Manual processes 400 then can be used in the revocation of symbol, and vice versa.According to other embodiments, manually and automatically process 400,500
Can concurrently be used as prevents further attempting to for security breaches.
Fig. 6 shows moving for removing management from the locking device 104 of registration for illustrated embodiment according to the present invention
The flow chart of the example process 600 of device 102a.It, can be on one or more locking devices 104 according to some embodiments
It executes field device to reset, this can then allow to become about which mobile device 102 is registered using locking device 104
Manage the change of mobile device 102a.In addition, it is pipe that the use that field device resets, which can permit change which mobile device 102,
Mobile device 102a is managed, without the presence of existing management mobile device 102a, thus in currently management mobile device 102a
This change of permission in the case where losing or being inoperable.In addition, being repaired in known manner when executing field device reset
Change field device and reset identifier, and any previously stored one or more credential identifiers can be from locking device 104
It removes.
As shown in Figure 1, field device can be executed in a number of different manners to reset and by another mobile device 102
It is appointed as management mobile device 102c.For example, at step 602, can notify access control system according to illustrated embodiment
106 such as since management mobile device 102a loses or inoperable and cause management mobile device 102a from being
System 100 removes.At step 604, such as at locking device 104, field device reset can be executed, it then can be with
Credential identifier, which is removed, from locking device 104 and modifies field device resets identifier.Therefore, locking device 104 is possibly can not
Operated via user's mobile device 102b, this is because the new field device of locking device 104 reset identifier may not
Match or be not similar to the one or more credential identifiers being stored on user's mobile device 102b.For at least similar original
Cause, in the case where losing or inoperable management mobile device 102a is made available by, management mobile device 102a can also
It can not be used together with locking device 104.
At step 606, the mobile device 102 as replacement management mobile device 102c is connected to access control system
System 106 and is registered using access control system 106, and then associated with management mobile device 102c.According to certain realities
Example is applied, the process for registering replacement management mobile device 102c can be similar to the example process above for Fig. 2A discussion
200.At step 608, replacement management mobile device 102c can be presented to locking device 104, and can transmit
It is close by the replacement management mobile device diversification for using master key, replacement management mobile device identifier and diversification algorithm to generate
The replacement control system payload of key encryption.
At step 610, using the master key and replacement management mobile device identifier being comprised in memory 122,
Locking device 104 will be attempted to decrypt the replacement control system payload received.If locking device 104 cannot decrypt control
System payload terminates the connection between locking device 104 and replacement management mobile device 102c then at step 612.So
And if locking device 104 can decrypt replacement control system payload, at step 614, locking device 104 will be locked
Determine device payload and be transmitted to replacement management mobile device 102c, is then received by replacement management mobile device 102c.Lock
Determining device payload can include various information again, such as replacement field device resets identifier and one or more lockings
Device identification.Furthermore it is also possible to carry out encryption lock device payload using replacement management diversification key.According to certain realities
Apply example, replacement management mobile device 102c then can via the access and configuration license provided by access control system 106 Lai
Control with locking device.
At step 616, the locking device payload of encryption can be transmitted and be visited by replacement management mobile device 102c
Ask control system 106.According to some embodiments, access control system 106 then can be such as logical by that will update reply
Know and is transmitted to replacement management mobile device 102c and/or locking device 104 to confirm and update.At step 618, controlled using access
System 106 processed, user associated with registration user account can indicate or identify that the credential identifier of which distribution will be by more
Newly, such as which user's mobile device 102b will receive the credential identifier updated.At step 620, access control system
Then system 106 can will may include that the field device updated resets the credential identifier of the update of identifier to be transmitted to user mobile
Device 102b, user's mobile device 102b be registered or be registered with one or more locking devices 104 and/or particular lock
Determine device 104 to be used together.
Various feature and advantage of the invention are described in the accompanying claims.In addition, to embodiment described herein
Change and modification will be apparent those skilled in the art, and the spirit and scope of the present invention can not departed from
And it does not reduce it to be expected to carry out such change and modification in the case where advantage.Although in the drawings and the preceding description
It is illustrated in detail and describes the present invention, it should be appreciated that the present invention is exemplary and not restrictive in nature,
It should be understood that the embodiment selected only has shown and described, and falls into described herein or limited by appended claims
All changes, equivalent and modification all expectations are protected in fixed the scope of the present invention.In addition, step as shown herein is understood
To be merely exemplary, and step can be combined or divided and be added or removed and in whole or in part again
Sequence.
While the invention has been described with reference to certain embodiments, it will be understood by those skilled in the art that not
In the case where departing from the scope of the present invention, various changes can be carried out and equivalent can be replaced.Furthermore, it is possible to carry out many
Modification is so that specific condition or material adapt to the teachings of the present invention without departing from its range.Therefore, it is intended that the present invention is unlimited
In disclosed specific embodiment, but the present invention will include all embodiments fallen within the scope of the appended claims.
Claims (18)
1. a kind of method for credential management, comprising:
Master key and mobile device identifier are input in diversification algorithm to generate diversification key, the mobile device mark
Know the information that symbol includes identification mobile device;
Carry out encryption control system payload using the diversification key, the control system payload includes at least one
Or multiple exclusive evidence identifiers;
The control system payload of encryption is transmitted to the mobile device by access control system;
The control system payload of encryption is received from the mobile device by locking device;
The master key is retrieved from the memory of the locking device by the locking device;And
The control of the encryption is decrypted using the master key and the mobile device identifier that retrieve by the locking device
System payload;
By the locking device and using the diversification key come encryption lock device payload, wherein the locking fills
Being set effective load includes that at least one locking device identifier and field device reset identifier;
The locking device payload of encryption is transmitted to the mobile device by the locking device;
The locking device payload of the encryption is received from the mobile device by the access control system;And
The locking of the encryption is decrypted using the master key and the mobile device identifier by the access control system
Device payload.
2. recording according to the method described in claim 1, further comprising the steps of: by the access control system from the encryption
At least part for the information that locking device payload is extracted.
3. according to the method described in claim 1, further include: the control system of the encryption is received in response to the mobile device
Unite payload and before the control system payload that the locking device receives the encryption by the locking device
It is placed in enrollment mode.
4. according to the method described in claim 1, further include: if the locking device cannot decrypt the control system of the encryption
System payload, then terminate the connection between the locking device and the mobile device.
5. according to the method described in claim 1, further include: the mobile device is registered using the access control system
User.
6. according to the method described in claim 1, further include:
Mobile device described in the access control system is notified just to remove from the access control system;
Replacement mobile device is registered using the access control system;
The field device on the locking device is stored in locking device execution field device reset with automatic modification to answer
Bit identifier simultaneously removes all credential identifiers being stored on the locking device;
The locking device payload of the second encryption is received by the access control system, wherein the locking dress of second encryption
Being set effective load includes that replacement field device resets identifier;
The replacement field device is extracted from the locking device payload of second encryption by the access control system to answer
Bit identifier;And
Sending the replacement field device extracted reset identifier to from the access control system will be with the locking device
The one or more user's mobile devices being used together.
7. according to the method described in claim 6, further include: identification will receive the replacement field device and reset the one of identifier
A or multiple user's mobile devices.
8. according to the method described in claim 6, further comprising the steps of:
Replacement management mobile device payload is generated by the access control system, wherein the replacement management mobile device has
Imitating load includes replacement management mobile device identifier;
The replacement management mobile device payload is encrypted using replacement management mobile device diversification key, wherein described
Replacement management mobile device diversification key is come using master key, the replacement management mobile device identifier and diversification algorithm
It generates;And
The replacement management mobile device payload of the encryption is received by the locking device of the registration.
9. according to the method described in claim 8, one in further comprising the steps of:
Described add is decrypted using at least described master key and the replacement management mobile device identifier by the locking device
Close replacement management mobile device payload;And
If the locking device cannot decrypt institute using at least described master key and the replacement management mobile device identifier
The replacement management mobile device payload for stating encryption, then terminate between the locking device and the replacement management mobile device
Connection.
10. a kind of method for management system, comprising:
Mobile device identifier is received from mobile device by access control system;
The mobile device identifier and master key are applied to diversification algorithm to generate diversification key;
Mobile device payload is encrypted by the access control system and using the diversification key, wherein
The mobile device payload includes one or more credential identifiers, one or more of credential identifiers include about
The information of the clearance level of the mobile device;
The mobile device payload of the encryption is transmitted to the mobile device by the access control system;
The mobile device payload of encryption is received from the mobile device by locking device;
It is decrypted by mobile device payload of the locking device to the encryption;
One or more of voucher marks are extracted from the mobile device payload of decrypted encryption by the locking device
Know symbol;
The permit level of the mobile device is identified using the one or more credential identifiers extracted by the locking device
Not;And
Determine whether the mobile device has execution by the locking device and based on the clearance level identified
Permission,
Wherein, the mobile device payload of the encryption includes that field device resets identifier, and the method also includes following
Step:
The field device is extracted from the mobile device payload of the decrypted encryption by the locking device to reset
Identifier;And
The field device extracted identifier is resetted by the locking device to fill with the scene stored by the locking device
Reset identifier is set to be compared.
11. according to the method described in claim 10, further include: it will be the system be added from the access control system
Invitation is transmitted to the mobile device.
12. according to the method for claim 11, further includes: in response to the receiving of the invitation the system is added, from
The access control system transmits the application for installing in the mobile device.
13. according to the method for claim 12, further includes: if the comparison indicates the field device extracted
Resetting identifier, to reset identifier with the field device stored by the locking device dissimilar, then terminate the mobile device and
Connection between the locking device.
14. according to the method described in claim 10, further include:
Payload is responded by the revocation that the locking device receives encryption, wherein the revocation response payload of the encryption is known
The credential identifier for the mobile device not to be revoked;
Payload is responded by the revocation that the locking device decrypts the encryption;
The mobile dress to be revoked described in being extracted from the revocation of decrypted encryption response payload as the locking device
The credential identifier set;
The credential identifier of the mobile device to be revoked extracted is identified as the mark being revoked by the locking device
Symbol;
The subsequent transmission from the mobile device including credential identifier is received by the locking device;And
It whether is the quilt by the credential identifier received that locking device identification is included in the subsequent transmission
The identifier of revocation.
15. according to the method for claim 14, further includes: if the identification step instruction be included in it is described after resume
The credential identifier in sending is the identifier being revoked, then terminates the locking device and institute by the locking device
State the connection between mobile device.
16. according to the method for claim 14, further includes: transmit the mobile device by the locking device and remove institute
State the requirement for the identifier being revoked.
17. according to the method for claim 14, further includes: Xiang Suoshu access control system identifies the credential identifier needle
The mobile device that it is revoked, and request will be cancelled by the access control system and be transmitted to the mobile device,
Wherein the revocation request request removes the credential identifier from the mobile device.
18. according to the method described in claim 10, further include:
Revocation request is transmitted to the mobile device by the access control system, the revocation request is requested from the movement
Device removes the credential identifier;And
The notice that the credential identifier has been removed from the mobile device is received by the access control system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910500679.3A CN110264182B (en) | 2014-06-02 | 2015-06-02 | Electronic certificate management system |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462006836P | 2014-06-02 | 2014-06-02 | |
US62/006,836 | 2014-06-02 | ||
PCT/US2015/033802 WO2015187707A1 (en) | 2014-06-02 | 2015-06-02 | Electronic credental management system |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910500679.3A Division CN110264182B (en) | 2014-06-02 | 2015-06-02 | Electronic certificate management system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106662991A CN106662991A (en) | 2017-05-10 |
CN106662991B true CN106662991B (en) | 2019-07-09 |
Family
ID=54703408
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201580039657.1A Active CN106662991B (en) | 2014-06-02 | 2015-06-02 | Electronic certificate management system |
CN201910500679.3A Active CN110264182B (en) | 2014-06-02 | 2015-06-02 | Electronic certificate management system |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910500679.3A Active CN110264182B (en) | 2014-06-02 | 2015-06-02 | Electronic certificate management system |
Country Status (6)
Country | Link |
---|---|
US (2) | US20150350913A1 (en) |
EP (1) | EP3149573A4 (en) |
CN (2) | CN106662991B (en) |
CA (2) | CA3030129C (en) |
MX (2) | MX2018016420A (en) |
WO (1) | WO2015187707A1 (en) |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2013221600B2 (en) * | 2012-02-13 | 2016-09-29 | Xceedid Corporation | Credential management system |
CA3030129C (en) * | 2014-06-02 | 2021-11-23 | Schlage Lock Company Llc | Electronic credential management system |
CA2968550A1 (en) * | 2014-12-02 | 2016-06-09 | Carrier Corporation | Remote programming for access control system with virtual card data |
IN2015CH04016A (en) * | 2015-08-03 | 2015-08-14 | Varadharajan Marur Srikrishna | |
EP3529437B1 (en) | 2016-10-19 | 2023-04-05 | Dormakaba USA Inc. | Electro-mechanical lock core |
CA3075189C (en) | 2017-09-08 | 2023-03-21 | Dormakaba Usa Inc. | Electro-mechanical lock core |
US11917070B2 (en) | 2018-02-17 | 2024-02-27 | Carrier Corporation | Method and system for managing a multiplicity of credentials |
KR102414927B1 (en) * | 2018-03-21 | 2022-06-30 | 삼성전자 주식회사 | Method and apparatus for authenticating a device using wireless local area network service |
DE102018204367A1 (en) * | 2018-03-22 | 2019-09-26 | Siemens Schweiz Ag | Method and system for authorizing the communication of a network node |
US11716320B2 (en) * | 2018-03-27 | 2023-08-01 | Workday, Inc. | Digital credentials for primary factor authentication |
US11698979B2 (en) * | 2018-03-27 | 2023-07-11 | Workday, Inc. | Digital credentials for access to sensitive data |
US11770261B2 (en) | 2018-03-27 | 2023-09-26 | Workday, Inc. | Digital credentials for user device authentication |
US11792180B2 (en) * | 2018-03-27 | 2023-10-17 | Workday, Inc. | Digital credentials for visitor network access |
US11012436B2 (en) | 2018-03-27 | 2021-05-18 | Workday, Inc. | Sharing credentials |
US11627000B2 (en) * | 2018-03-27 | 2023-04-11 | Workday, Inc. | Digital credentials for employee badging |
US11522713B2 (en) * | 2018-03-27 | 2022-12-06 | Workday, Inc. | Digital credentials for secondary factor authentication |
US11531783B2 (en) * | 2018-03-27 | 2022-12-20 | Workday, Inc. | Digital credentials for step-up authentication |
US11641278B2 (en) | 2018-03-27 | 2023-05-02 | Workday, Inc. | Digital credential authentication |
US11792181B2 (en) * | 2018-03-27 | 2023-10-17 | Workday, Inc. | Digital credentials as guest check-in for physical building access |
US11683177B2 (en) * | 2018-03-27 | 2023-06-20 | Workday, Inc. | Digital credentials for location aware check in |
US11700117B2 (en) | 2018-03-27 | 2023-07-11 | Workday, Inc. | System for credential storage and verification |
US11466473B2 (en) | 2018-04-13 | 2022-10-11 | Dormakaba Usa Inc | Electro-mechanical lock core |
WO2019200257A1 (en) | 2018-04-13 | 2019-10-17 | Dormakaba Usa Inc. | Electro-mechanical lock core |
US11144631B2 (en) * | 2018-09-11 | 2021-10-12 | Apple Inc. | Dynamic switching between pointer authentication regimes |
US20210134092A1 (en) * | 2019-10-30 | 2021-05-06 | OpenKey, Inc. | Universal Secure Mobile Device Entry Upgrade Electronics Unit for Electronic Locks and Method of Use Thereof |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
CN101482987A (en) * | 2009-01-19 | 2009-07-15 | 苏州工业园区新海宜电信发展股份有限公司 | Central control and management method for outdoor communication machine room door based on communication network |
CN101971186A (en) * | 2008-04-10 | 2011-02-09 | 日本电气株式会社 | Information leak prevention device, and method and program thereof |
WO2013123079A1 (en) * | 2012-02-13 | 2013-08-22 | Xceedid Corporation | Credential management system |
Family Cites Families (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4677284A (en) * | 1985-08-22 | 1987-06-30 | Genest Leonard Joseph | Multi-access security system |
US4829296A (en) * | 1986-04-30 | 1989-05-09 | Carey S. Clark | Electronic lock system |
GB8705892D0 (en) * | 1987-03-12 | 1987-04-15 | Security Services Plc | Keys |
US5473318A (en) * | 1992-01-10 | 1995-12-05 | Active Control Technology Inc. | Secure remote control system with receiver controlled to add and delete identity codes |
US5397884A (en) * | 1993-10-12 | 1995-03-14 | Saliga; Thomas V. | Electronic kay storing time-varying code segments generated by a central computer and operating with synchronized off-line locks |
US5668876A (en) * | 1994-06-24 | 1997-09-16 | Telefonaktiebolaget Lm Ericsson | User authentication method and apparatus |
US5612683A (en) * | 1994-08-26 | 1997-03-18 | Trempala; Dohn J. | Security key holder |
US5909183A (en) * | 1996-12-26 | 1999-06-01 | Motorola, Inc. | Interactive appliance remote controller, system and method |
US5905446A (en) * | 1997-03-24 | 1999-05-18 | Diebold, Incorporated | Electronic key system |
US6308266B1 (en) * | 1998-03-04 | 2001-10-23 | Microsoft Corporation | System and method for enabling different grades of cryptography strength in a product |
WO2001040605A1 (en) * | 1999-11-30 | 2001-06-07 | Bording Data A/S | An electronic key device, a system and a method of managing electronic key information |
US6971016B1 (en) | 2000-05-31 | 2005-11-29 | International Business Machines Corporation | Authenticated access to storage area network |
US20030028664A1 (en) * | 2001-08-02 | 2003-02-06 | Kaijun Tan | Method and system for secure distribution and utilization of data over a network |
EP1324276B1 (en) * | 2001-12-28 | 2008-10-15 | Matsushita Electric Works, Ltd. | Use of an electronic key and electronic security system |
WO2004077848A2 (en) * | 2003-02-21 | 2004-09-10 | Ge Interlogix, Inc. | Key control with real time communications to remote locations |
US6885738B2 (en) * | 2003-02-25 | 2005-04-26 | Bellsouth Intellectual Property Corporation | Activation of electronic lock using telecommunications network |
US7814314B2 (en) * | 2004-08-31 | 2010-10-12 | Ntt Docomo, Inc. | Revocation of cryptographic digital certificates |
US20070176739A1 (en) * | 2006-01-19 | 2007-08-02 | Fonekey, Inc. | Multifunction keyless and cardless method and system of securely operating and managing housing facilities with electronic door locks |
US20070271596A1 (en) * | 2006-03-03 | 2007-11-22 | David Boubion | Security, storage and communication system |
SE529849C2 (en) * | 2006-04-28 | 2007-12-11 | Sics Swedish Inst Of Comp Scie | Access control system and procedure for operating the system |
SE531723C2 (en) * | 2006-12-20 | 2009-07-21 | Phoniro Ab | Access control system, lock device, management device and associated methods and computer software products |
US20090113543A1 (en) * | 2007-10-25 | 2009-04-30 | Research In Motion Limited | Authentication certificate management for access to a wireless communication device |
US8631488B2 (en) * | 2008-08-04 | 2014-01-14 | Cupp Computing As | Systems and methods for providing security services during power management mode |
JP5522542B2 (en) * | 2008-09-30 | 2014-06-18 | 日本電気株式会社 | Mobile terminal execution function management system, method, and program |
US8797138B2 (en) * | 2009-01-13 | 2014-08-05 | Utc Fire & Security Americas Corporation, Inc. | One-time access for electronic locking devices |
US8521809B2 (en) * | 2009-07-31 | 2013-08-27 | Z2Live, Inc. | Mobile device notification controls system and method |
ES2428004T3 (en) * | 2009-09-16 | 2013-11-05 | Openways Sas | Secured digital control locks management system, adapted to operation through encrypted acoustic accreditations |
KR20110117560A (en) * | 2010-04-21 | 2011-10-27 | 삼성전자주식회사 | System and method for providing automatically update |
US20130117831A1 (en) * | 2010-04-30 | 2013-05-09 | Lock Box Pty Ltd | Method and system for enabling computer access |
US9042873B2 (en) * | 2010-06-07 | 2015-05-26 | Intelligent Mechatronic Systems Inc. | On the road groups |
CN103026682A (en) * | 2010-06-16 | 2013-04-03 | 德尔斐系统有限公司 | Wireless device enabled locking system |
US9961550B2 (en) * | 2010-11-04 | 2018-05-01 | Itron Networked Solutions, Inc. | Physically secured authorization for utility applications |
US8689297B2 (en) | 2010-11-19 | 2014-04-01 | Blackberry Limited | System, devices and method for secure authentication |
US20140002236A1 (en) * | 2010-12-02 | 2014-01-02 | Viscount Security Systems Inc. | Door Lock, System and Method for Remotely Controlled Access |
EP2500872A1 (en) * | 2011-03-08 | 2012-09-19 | Openways Sas | Secured method for controlling the opening of locking devices by means of a communication object such as a mobile phone |
US8417233B2 (en) * | 2011-06-13 | 2013-04-09 | Mercury Mobile, Llc | Automated notation techniques implemented via mobile devices and/or computer networks |
US20130335193A1 (en) * | 2011-11-29 | 2013-12-19 | 1556053 Alberta Ltd. | Electronic wireless lock |
US8712394B2 (en) | 2011-12-14 | 2014-04-29 | Blackberry Limited | Systems, methods, and apparatus to prepare a mobile device for provisioning |
US9202086B1 (en) * | 2012-03-30 | 2015-12-01 | Protegrity Corporation | Tokenization in a centralized tokenization environment |
US20130342314A1 (en) * | 2012-06-22 | 2013-12-26 | Gun Chen | Smart lock structure and operating method thereof |
KR101938332B1 (en) * | 2012-07-11 | 2019-01-14 | 캠프모바일 주식회사 | Method, service server, mobile phone and computer readable recording medium for mobile phone authentication |
US9043609B2 (en) | 2012-07-19 | 2015-05-26 | Bank Of America Corporation | Implementing security measures for authorized tokens used in mobile transactions |
US9710634B2 (en) * | 2012-08-03 | 2017-07-18 | Vasco Data Security, Inc. | User-convenient authentication method and apparatus using a mobile authentication application |
US9472034B2 (en) * | 2012-08-16 | 2016-10-18 | Schlage Lock Company Llc | Electronic lock system |
US8769651B2 (en) * | 2012-09-19 | 2014-07-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US9260885B2 (en) * | 2012-10-19 | 2016-02-16 | Brian Asquith | Theft deterrent lock |
US9009653B2 (en) * | 2013-02-28 | 2015-04-14 | Tata Consultancy Services Limited | Identifying quality requirements of a software product |
US9432361B2 (en) * | 2013-03-13 | 2016-08-30 | Lookout, Inc. | System and method for changing security behavior of a device based on proximity to another device |
US9712601B2 (en) * | 2013-07-22 | 2017-07-18 | International Business Machines Corporation | Cloud-connectable middleware appliance |
CN103473844B (en) * | 2013-10-12 | 2015-11-25 | 东信和平科技股份有限公司 | Public affairs are rented a house intelligent control method and system |
CN103679884B (en) * | 2013-12-02 | 2016-07-06 | 大连智慧城科技有限公司 | The Internet gate inhibition casual user's authorization device and method |
US9779224B2 (en) * | 2014-05-05 | 2017-10-03 | Securekey Technologies Inc. | Methods and systems for client-enhanced challenge-response authentication |
CA3030129C (en) * | 2014-06-02 | 2021-11-23 | Schlage Lock Company Llc | Electronic credential management system |
US9600949B2 (en) * | 2014-07-30 | 2017-03-21 | Master Lock Company Llc | Wireless key management for authentication |
-
2015
- 2015-06-02 CA CA3030129A patent/CA3030129C/en active Active
- 2015-06-02 MX MX2018016420A patent/MX2018016420A/en unknown
- 2015-06-02 EP EP15802702.9A patent/EP3149573A4/en not_active Ceased
- 2015-06-02 CN CN201580039657.1A patent/CN106662991B/en active Active
- 2015-06-02 WO PCT/US2015/033802 patent/WO2015187707A1/en active Application Filing
- 2015-06-02 US US14/728,701 patent/US20150350913A1/en active Granted
- 2015-06-02 CA CA2954758A patent/CA2954758C/en active Active
- 2015-06-02 CN CN201910500679.3A patent/CN110264182B/en active Active
- 2015-06-02 MX MX2016016008A patent/MX361983B/en active IP Right Grant
-
2019
- 2019-04-09 US US16/379,390 patent/US11023875B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
CN101971186A (en) * | 2008-04-10 | 2011-02-09 | 日本电气株式会社 | Information leak prevention device, and method and program thereof |
CN101482987A (en) * | 2009-01-19 | 2009-07-15 | 苏州工业园区新海宜电信发展股份有限公司 | Central control and management method for outdoor communication machine room door based on communication network |
WO2013123079A1 (en) * | 2012-02-13 | 2013-08-22 | Xceedid Corporation | Credential management system |
Non-Patent Citations (1)
Title |
---|
HID Global扩展iCLASS SE平台,新增iCLASS Seos凭证卡并支持"公开可监控设备协议(OSDP)";hidchina;《http://blog.sina.com.cn/blog_6f1b5970101a5db.html》;20120918;1—3 |
Also Published As
Publication number | Publication date |
---|---|
CN110264182B (en) | 2023-08-29 |
MX2018016420A (en) | 2021-08-13 |
MX361983B (en) | 2018-12-19 |
US11023875B2 (en) | 2021-06-01 |
CN106662991A (en) | 2017-05-10 |
CA3030129A1 (en) | 2015-12-10 |
WO2015187707A1 (en) | 2015-12-10 |
US20150350913A1 (en) | 2015-12-03 |
EP3149573A1 (en) | 2017-04-05 |
MX2016016008A (en) | 2017-05-30 |
CN110264182A (en) | 2019-09-20 |
CA3030129C (en) | 2021-11-23 |
US20190239079A1 (en) | 2019-08-01 |
EP3149573A4 (en) | 2017-11-22 |
CA2954758C (en) | 2019-03-12 |
CA2954758A1 (en) | 2015-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106662991B (en) | Electronic certificate management system | |
JP7436568B2 (en) | Methods and systems realized by blockchain | |
EP1388989B1 (en) | Digital contents issuing system and digital contents issuing method | |
US20130127593A1 (en) | Method of distributing stand-alone locks | |
CN109891416A (en) | For authenticating and the system and method for authorization device | |
CN105637915B (en) | Method for assigning agent equipment from from the first device registry to the second device registry | |
US9258283B2 (en) | Key management system, key management method, and communication device | |
JP4326443B2 (en) | Information processing apparatus, information processing method, and program | |
JP2006246015A (en) | Data communication system, proxy system server, computer program, and data communication method | |
KR20120110089A (en) | Method for remotely controlling and monitoring the data produced on desktop on desktop software | |
CN115066863B (en) | System and techniques for cross-account device key transfer in benefit denial systems | |
JP4833745B2 (en) | Data protection method for sensor node, computer system for distributing sensor node, and sensor node | |
JP2011012511A (en) | Electric lock control system | |
JP5391743B2 (en) | Payment processing security information distribution method, payment processing security information distribution system, center device thereof, server device, payment terminal, and program | |
WO2016035466A1 (en) | Communication system, program for server device, recording medium recording this program, program for communication device, recording medium recording this program, program for terminal device, and recording medium recording this program | |
US20060080464A1 (en) | System and method of utilizing a MAC address based unlocking key | |
CN113282945B (en) | Intelligent lock authority management method and device, electronic equipment and storage medium | |
JP2020088836A (en) | Vehicle maintenance system, maintenance server device, management server device, on-vehicle device, maintenance tool, computer program, and vehicle maintenance method | |
JP6742008B1 (en) | Usage control system, usage permit issuing device, usage control method, and computer-readable program | |
JP6895489B2 (en) | Key information generation system and key information generation method | |
KR20110105982A (en) | Method and system for managing remotely user's id and password | |
TW201503025A (en) | A vehicle rental system and a method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |